[Sync] Update project files from source repository (10bd2e8)

[mrz1836]

What Changed

• Updated 1 individual file(s) to synchronize with the source repository
• Synchronized 4 file(s) from directory mappings
• Applied file transformations and updates based on sync configuration
• Brought target repository in line with source repository state at commit 486cb83

Directory Synchronization Details

The following directories were synchronized:

.github/tech-conventions → .github/tech-conventions

• Files synced: 0
• Files examined: 15
• Files excluded: 0
• Processing time: 964ms

.github/ISSUE_TEMPLATE → .github/ISSUE_TEMPLATE

• Files synced: 0
• Files examined: 3
• Files excluded: 0
• Processing time: 507ms

.github/workflows → .github/workflows

• Files synced: 4
• Files examined: 26
• Files excluded: 0
• Processing time: 1595ms

.github/actions → .github/actions

• Files synced: 0
• Files examined: 16
• Files excluded: 0
• Processing time: 1084ms

.vscode → .vscode

• Files synced: 0
• Files examined: 4
• Files excluded: 0
• Processing time: 525ms

Performance Metrics

• Files processed: 84 (5 changed, 0 deleted, 79 skipped)
• Files attempted to change: 5 (go-broadcast processing)
• File processing time: 8644ms

Why It Was Necessary

This synchronization ensures the target repository stays up-to-date with the latest changes from the configured source repository. The sync operation identifies and applies only the necessary file changes while maintaining consistency across repositories.

Testing Performed

• Validated sync configuration and file mappings
• Verified file transformations applied correctly
• Confirmed no unintended changes were introduced
• All automated checks and linters passed

Impact / Risk

• Low Risk: Standard sync operation with established patterns
• No Breaking Changes: File updates maintain backward compatibility
• Performance: No impact on application performance
• Dependencies: No dependency changes included in this sync

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull Request Overview

This PR synchronizes GitHub Actions workflow files and configuration from a source repository, bringing in enhancements to the Dependabot auto-merge and auto-merge-on-approval workflows. The changes include version updates to security tooling, support for indirect dependency auto-merge, enhanced security detection, improved logging, and a new label-based gating mechanism for auto-merge.

• Updated CodeQL actions from v4.31.3 to v4.31.4 across security workflows
• Added granular control for indirect (transitive) dependency auto-merge with new configuration options
• Enhanced security update detection with multi-layered checks including GitHub Security Advisories API integration
• Introduced auto-merge label requirement feature for better control over when auto-merge is allowed

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.github/workflows/scorecard.yml	Updated CodeQL action to v4.31.4 for SARIF upload
.github/workflows/codeql-analysis.yml	Updated all CodeQL actions (init, autobuild, analyze) to v4.31.4
.github/workflows/dependabot-auto-merge.yml	Added indirect dependency auto-merge support, enhanced security detection with GraphQL API queries, improved decision logging, and new action types for indirect dependencies
.github/workflows/auto-merge-on-approval.yml	Added optional label requirement check for auto-merge with configurable label name
.github/.env.base	Added configuration for indirect dependency auto-merge, auto-merge label requirements, and updated tool versions (MAGE_X v1.7.16, Gitleaks 8.29.1)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ecosystem is hardcoded to "GO" but should use the dynamic value from the metadata. This workflow may be synced to non-Go repositories where hardcoding "GO" will cause incorrect security advisory queries.

Consider using:

ECOSYSTEM="${{ steps.metadata.outputs.package-ecosystem }}"
echo "  Ecosystem: $ECOSYSTEM"

And then using the uppercase version in the GraphQL query at line 280.

[Copilot]

The GraphQL query hardcodes ecosystem=GO, which should be dynamic based on the package ecosystem from Dependabot metadata. This will fail or return incorrect results for non-Go dependencies.

The ecosystem parameter should use a variable that matches the actual package ecosystem (e.g., NPM, PIP, COMPOSER, etc.) from steps.metadata.outputs.package-ecosystem. Note that the ecosystem value may need to be uppercased to match the GraphQL SecurityAdvisoryEcosystem enum values.

[Copilot]

When a security update is detected but AUTO_MERGE_SECURITY is disabled, the ACTION is not set and falls through to check normal auto-merge rules. This means a security patch update could be auto-merged under the patch auto-merge rules even when security auto-merge is explicitly disabled.

Consider setting ACTION="manual-review" when IS_SECURITY == "true" but AUTO_MERGE_SECURITY == "false" to ensure security updates always require manual review when security auto-merge is disabled:

else
  echo "  ❌ AUTO_MERGE_SECURITY == false"
  ACTION="manual-review"
  echo "  🎯 MATCH! Action: $ACTION"
  echo "  📝 Reason: Security update with auto-merge disabled - requires manual review"
fi

Suggested change

	echo " ⏭️ Skipping security auto-merge (disabled)"
	ACTION="manual-review"
	echo " 🎯 MATCH! Action: $ACTION"
	echo " 📝 Reason: Security update with auto-merge disabled - requires manual review"